JSON Web Encryption

This exercise covers how you can create your own JWE if you have access to the public key used by the server

< 1 Hr.
Brown Badge


In this course, we explore the exploitation of vulnerabilities in applications that use JSON Web Encryption (JWE) for authentication. JWE tokens encrypt information using two keys: a Content Encryption Key (CEK) and a public key. The integrity of the data is protected by the CEK, making it difficult for an attacker to tamper with the data without this key. However, the availability of the public key to users introduces a significant security flaw.

Through a series of practical steps, you will learn how to create your own JWE token using the public key provided by the application. This course demonstrates that even with encrypted values and data integrity mechanisms, it is possible to forge tokens and gain unauthorized access. By the end of the course, you will understand the design issues of JWE and how to exploit them to achieve administrative access in a vulnerable application.

Want to learn more? Get started with PentesterLab Pro! GO PRO